hi,
is there a way for a FSFD to detect if user file mapping is being
created/opened for a file, or if a file currently has any user file mapping?
is it possible to use ZwOpenSection as a hint? i mean, if it fails, there
isn’t any user file mapping…
Ampsi
On XP and later, you can use the new filter callbacks
(FsRtlRegisterFileSystemFilterCallbacks) to get notification of a
CreateSection via the PostAcquireForSectionSynchronization vector.
On older OS’s you can “hook” the SystemService vector (You didn’t hear this
from me) for NtCreateSection and handle it after calling the original entry.
I think the service indexes are: NT3.51 - 0x20, NT4.0 - 0x21 & W2K - 0x2B.
These indexes are in the System Service Table as follows:
PSD_TABLE table = (PSD_TABLE) KeServiceDescriptorTable;
PVOID *entryPoints = table->ServiceTableStart;
// Hook it
OldServiceEntry =
(PVOID)InterlockedExcahnge((PLONG)&entryPoints[ServiceIndex],
(PLONG)&NewServiceEntry);
By the way, the preceding technique does not work on XP and later systems
because the dispatch table is write protected.
/ted
-----Original Message-----
From: Ampsi [mailto:xxxxx@pmail.ntu.edu.sg]
Sent: Wednesday, May 07, 2003 8:09 AM
To: File Systems Developers
Subject: [ntfsd] detect file mapping
hi,
is there a way for a FSFD to detect if user file mapping is being
created/opened for a file, or if a file currently has any user file mapping?
is it possible to use ZwOpenSection as a hint? i mean, if it fails, there
isn’t any user file mapping…
Ampsi
You are currently subscribed to ntfsd as: xxxxx@livevault.com To unsubscribe
send a blank email to xxxxx@lists.osr.com
You did not hear me from either …
There is example of avoiding the hard coded function number ( vector number)
by using example from undocumented NT. But for win2k+ you will have to make
sure that the Page protection is disabled, while the dispatch pointer is
being replaced. ntndis website has an example of how to do that precisely.
Also the undocumented win 2k book might have a way to do it.
I do have an example for just doing this, because I needed to know when a
file is getting mapped…
-prokash
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Ted Hess
Sent: Wednesday, May 07, 2003 10:17 AM
To: File Systems Developers
Subject: [ntfsd] RE: detect file mapping
On XP and later, you can use the new filter callbacks
(FsRtlRegisterFileSystemFilterCallbacks) to get notification of a
CreateSection via the PostAcquireForSectionSynchronization vector.
On older OS’s you can “hook” the SystemService vector (You didn’t hear this
from me) for NtCreateSection and handle it after calling the original entry.
I think the service indexes are: NT3.51 - 0x20, NT4.0 - 0x21 & W2K - 0x2B.
These indexes are in the System Service Table as follows:
PSD_TABLE table = (PSD_TABLE) KeServiceDescriptorTable;
PVOID *entryPoints = table->ServiceTableStart;
// Hook it
OldServiceEntry =
(PVOID)InterlockedExcahnge((PLONG)&entryPoints[ServiceIndex],
(PLONG)&NewServiceEntry);
By the way, the preceding technique does not work on XP and later systems
because the dispatch table is write protected.
/ted
-----Original Message-----
From: Ampsi [mailto:xxxxx@pmail.ntu.edu.sg]
Sent: Wednesday, May 07, 2003 8:09 AM
To: File Systems Developers
Subject: [ntfsd] detect file mapping
hi,
is there a way for a FSFD to detect if user file mapping is being
created/opened for a file, or if a file currently has any user file mapping?
is it possible to use ZwOpenSection as a hint? i mean, if it fails, there
isn’t any user file mapping…
Ampsi
You are currently subscribed to ntfsd as: xxxxx@livevault.com To unsubscribe
send a blank email to xxxxx@lists.osr.com
You are currently subscribed to ntfsd as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
FSRTL_FLAG_USER_MAPPED_FILE in common FCB header.
Note that it will never be reset.
Max
----- Original Message -----
From: “Ampsi”
To: “File Systems Developers”
Sent: Wednesday, May 07, 2003 4:09 PM
Subject: [ntfsd] detect file mapping
> hi,
>
> is there a way for a FSFD to detect if user file mapping is being
> created/opened for a file, or if a file currently has any user file
mapping?
>
> is it possible to use ZwOpenSection as a hint? i mean, if it fails,
there
> isn’t any user file mapping…
>
> Ampsi
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
Is this flag set even if the file is not cached? The comments indicate
that the Cache Manager sets this flag. My feeling is that if
CcIsFileCached returns FALSE, then DataSectionObject should be checked
in SectionObjectPointers.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim
S. Shatskih
Sent: Wednesday, May 07, 2003 7:52 AM
To: File Systems Developers
Subject: [ntfsd] Re: detect file mappingFSRTL_FLAG_USER_MAPPED_FILE in common FCB header.
Note that it will never be reset.Max
----- Original Message -----
From: “Ampsi”
> To: “File Systems Developers”
> Sent: Wednesday, May 07, 2003 4:09 PM
> Subject: [ntfsd] detect file mapping
>
>
> > hi,
> >
> > is there a way for a FSFD to detect if user file mapping is being
> > created/opened for a file, or if a file currently has any user file
> mapping?
> >
> > is it possible to use ZwOpenSection as a hint? i mean, if it fails,
> there
> > isn’t any user file mapping…
> >
> > Ampsi
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@nryan.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>